cURL / Mailing Lists / curl-library / Single Mail


[PATCH 0/6] Re: Bug: libcurl truncates passwords longer than 255

From: Jonathan Nieder <>
Date: Mon, 19 Aug 2013 00:34:20 -0700


Daniel Stenberg wrote:
> On Sat, 17 Aug 2013, Alessandro Ghedini wrote:

>> At [1] there's an attempt of a patch that basically strdup()s the password
>> and username, altough it doesn't yet pass the test suite:
> I would like to see a patch that removes the fixed length limit, sure!

Thanks. Here goes.

The series is pretty much as before. Changes since the rough draft:
 - split into patches that do one thing at a time
 - remove the length limit in sasl code, too
 - set 'proxy' to NULL after freeing it (the draft forgot to do this,
   causing tests to fail with a double free)
 - various cosmetic improvements

Passes "make check", and the test case from
works now.


Jonathan Nieder (6):
  sasl: allow arbitrarily long username and password
  url: use goto in create_conn() for exception handling
  url: allocate username, password, and options on the heap
  netrc: handle arbitrary-length username and password
  Curl_setopt: handle arbitrary-length username and password
  url: handle exceptional cases first in parse_url_login()

 lib/curl_sasl.c | 42 +++++---
 lib/netrc.c | 20 ++--
 lib/netrc.h | 14 +--
 lib/url.c | 260 ++++++++++++++++++++++++++++----------------------
 tests/unit/unit1304.c | 53 +++++-----
 5 files changed, 222 insertions(+), 167 deletions(-)
List admin:
Received on 2013-08-19